Post on 18-Nov-2014
description
Synchronize AD and OpenLDAP with LSC
Clément OUDOT
2
Table of contents
LDAP Synchronization Connector (LSC)
Active Directory specificities
Synchronize OpenLDAP and AD
3
Resume
4
Clément OUDOT
Engineer since 2003 at LINAGORA company
LinID Dream Team Manager: http://linid.org
Founder of LDAP Tool Box project: http://ltb-project.org
Leader of LemonLDAP::NG project: http://lemonldap-ng.org
5
LDAP Synchronization Connector
LDAP Synchronization Connector
Free software
BSD license
Written in Java
XML configuration files
http://lsc-project.org
LDAP Synchronization Connector
Synchronization :– From/To LDAP, SQL, fichiers
– One-shot or continuous
CSV or LDIF exports of what has been synchronized
Data manipulation engine: Javascript (Rhino), Groovy
API LDAP for scripts
Main features
Source and destination connectors:– LDAPv3 Directories
– JDBC compatible data bases
– Flat files
– Plugins: Google Apps, OBM, ...
LDAPv3 advanced support:– StartTLS, LDAPS
– Paged result
– LDAP Sync (SyncRepl), Persistent search
How it works
Sync phase:– Read all entries in source, get the pivot attribute
– For each entry, read entry in source and in destination, using the pivot attribute
– Apply modifications or create the entry in destination
Clean phase:– Read all entries in destination, get the pivot attribute
– For each entry, read entry in source using the pivot attribute
– Delete entry in destination if not found in source
Configuration overview
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd" revision="1">
<connections></connections>
<tasks></tasks>
</lsc>
LDAP connection
<ldapConnection> <name>ldap-dst-conn</name> <url>ldap://HOSTNAME/SUFFIX</url> <username>DN</username> <password>PWD</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated></ldapConnection>
<databaseConnection> <name>jdbc-src-conn</name> <url>jdbc:JDBC_URL</url> <username>USER</username> <password>PWD</password> <driver>JDBC_DRIVER</driver></databaseConnection>
Database connection
Tasks
Several tasks can be defined in one connector
For each task:– Source service (using a connection definition)
– Destination service (using a connection definition)
– Synchronization rules<task> <name>agent</name> <bean>org.lsc.beans.SimpleBean</bean> <databaseSourceService></databaseSourceService> <ldapDestinationService></ldapDestinationService> <propertiesBasedSyncOptions></propertiesBasedSyncOptions></task>
Available services
Source services– databaseSourceService
– ldapSourceService
– asyncLdapSourceService
Destination services– databaseDestinationService
– ldapDestinationService
Synchronization rules
<mainIdentifier>: how to compute the main identifier (DN for an LDAP service)
<conditions>: allowed operations in the task (create, update, delete, changeId)
<dataset>: mapping definition between source and destination attribute
Examples
<dataset> <name>objectClass</name> <policy>KEEP</policy> <forceValues> <string>"top"</string> <string>"person"</string> <string>"organizationalPerson"</string> <string>"inetOrgPerson"</string> </forceValues></dataset>
<dataset> <name>cn</name> <policy>FORCE</policy> <forceValues> <string><[CDATA[srcBean.getDatasetFirstValueById("FIRSTNAME") + srcBean.getDatasetFirstValueById("NAME"); ]]></string> </forceValues></dataset>
LDAP Query Language
Access to srcLdap (source) and ldap (destination) connection objects
Special functions:– attribute(DN, attribute)
– search(base, filter)
– list(base, filter)
– read(base, filter)
– sup(DN, level)srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0)
Logs
Logback: http://logback.qos.ch/
Output formats:– Standard : org.lsc.utils.output.LdifLayout
– LDIF: org.lsc.utils.output.LdifLayout• <onlyLdif>true</onlyLdif>
– CSV: org.lsc.utils.output.CsvLayout• <logOperations>create,update</logOperations>
• <attrs>dn;uid;sn;givenName;description;cn</attrs>
• <separator>;</separator>
• <outputHeader>true</outputHeader>
• <taskNames>MyTask</taskNames>
19
Active Directory
20
Connection
No anonymous access
SSL required for some operations (password change)
Paged result to avoid 1000 entries limit
Specific AD configuration to avoir 1500 values limit (range)
21
Schema
Non standard objectclass user:– top
• person– organizationalPerson
» user» InetOrgPerson
Non standard attributes:– sAMAccountName
– unicodePwd
– ...
22
Password
Password can be written, cannot be read
Attribute unicodePwd (~ clear text)
Old password remain valid for one hour
Accepted password in the LDAP modify operation are not always accepted to authenticate (non ASCII characters...)
23
LSC helpers
aDTimeToUnixTimestamp(long aDTime) Transform an AD timestamp to a Unix timestamp.aDTimeToUnixTimestamp(String aDTimeString) Helper method to automatically parse an AD timestamp from a String before calling aDTimeToUnixTimestamp(long).
getAccountExpires(String expireDate) Returns the accountexpires time in Microsoft formatgetAccountExpires(String expireDate, String format) Return the accountexpires time in specified formatgetNumberOfWeeksSinceLastLogon(String lastLogonTimestamp) Return the number of weeks since the last logongetUnicodePwd(String password) Encode a password so that it can be updated in Active Directory in the field unicodePwd.
24
LSC helpers
unixTimestampToADTime(int unixTimestamp) Transform a Unix timestamp to an AD timestamp.unixTimestampToADTime(String unixTimestampString) Helper method to automatically parse a Unix timestamp from a String before calling unixTimestampToADTime(int).
userAccountControlCheck(int value, String constToCheck) Check if a bit is set in UserAccountControluserAccountControlSet(int origValue, String[] constToApply) Set or unset some bits to a UserAccountControl attribute of an AD
userAccountControlToggle(int value, String constToApply) Toggle a bit in UserAccountControl
25
Synchronize OpenLDAP and AD
26
Main configuration
Create a simple LDAP to LDAP connector
Define specific connection parameters for AD
Use SSL to AD if you need to manage password
Define specific attributes needed in AD
Specify the search filters and the pivot attributes
Write datasets for non linear attribute mapping
27
The password problem
Several approaches:– Use AD as the authentication referential, use
SASL from OpenLDAP to forward the authentication to AD
– Keep a plain text or symmetric hashed password in OpenLDAP, to push the password with LSC
– Catch the password when it is changed in AD, trough SFU (Services For Unix), or with a password filter DLL (example: PasswdHK)
28
Almost the end...
29
Thanks
Special thanks to:– LDAPCon !
– Company LINAGORA
– All LiniD developers
Keep in touch:– Identica: @coudot
– Twitter: @clementoudot @LinID_FOSS
– IRC: KPTN #LinID@freenode
– Web: http://linid.org
Thanks!